In this post, we delve into the world of cybersecurity, focusing on the efforts of Ukraine's Computer Emergency Response Team (CERT-UA) in combating these threats.
The Role of CERT-UA in Cyber Defense
CERT-UA, the Ukrainian government's response team for computer emergencies, has been actively taking measures to counter cyber threats. Since 2022, they have been tracking an activity identified as UAC-0024, which involves targeted cyber attacks aimed at defense forces for espionage purposes.
Understanding the Threat: The Case of CAPIBAR
One of the primary threats tracked by CERT-UA is a malicious program known as CAPIBAR. This program, also known as "DeliveryCheck" by Microsoft and "GAMEDAY" by Mandiant, uses a server-side component typically installed on compromised MS Exchange servers. It employs a variety of techniques, including Extensible Stylesheet Language Transformations (XSLT) and COM-hijacking, effectively turning a legitimate server into a control center for the malicious program.
The Initial Compromise: A Closer Look
The initial compromise often involves sending emails with an attachment in the form of a document containing a macro. In some cases, the attackers modify documents, adding a few lines of code to the structure of a legitimate macro, which triggers the launch of PowerShell.
The Power of KAZUAR: A Multifunctional Backdoor
Under certain circumstances, a complex multifunctional backdoor known as KAZUAR is loaded onto the affected computers. KAZUAR boasts over 40 functions, including data theft from operating system logs, authentication data, and database/configuration files of various programs.
The Turla Connection: Linking Threats to the FSB of Russia
Based on the tactics, techniques, and procedures used, as well as the use of the KAZUAR program, the activity (UAC-0024) is associated with a high degree of confidence with the Turla group (UAC-0003, KRYPTON, Secret Blizzard), whose activities are directed by the FSB of Russia.
CERT-UA's Proactive Measures: Collaborative Defense
In an effort to create favorable conditions for threat detection, CERT-UA has distributed samples of the malicious programs among cybersecurity companies. This collaborative approach enhances the collective defense against these cyber threats.
Acknowledging Allies: A Shoutout to Microsoft Threat Intelligence
CERT-UA extends its gratitude to the Microsoft Threat Intelligence team for their continuous assistance in combating cyber threats on a national scale. Their collaboration is a testament to the power of collective efforts in the fight against cybercrime.
Conclusion: The Collective Fight Against Cyber Threats
The battle against cyber threats is a collective one. It requires the concerted efforts of individuals, organizations, and nations. As we continue to navigate the digital landscape, teams like CERT-UA play a crucial role in safeguarding our cyber space. Their work serves as a reminder of the importance of vigilance, collaboration, and proactive defense in the face of evolving cyber threats.